Lukas Haase
2009-Dec-15 15:24 UTC
[Dovecot] Why dovecot does not want to read my acl file?
Hi,
Simple Scenario: Shared namespace and a specific UNIX group should have
access to it. System is Debian lenny (stable).
# cat /etc/dovecot/dovecot.conf
[...]
namespace public {
separator = .
prefix = Shared.
location = maildir:/var/mail/shared
}
mail_executable = /usr/local/sbin/dovecot-imap-fix.sh
mail_drop_priv_before_exec = no #just to make sure
[...]
# dpkg -l | grep dovecot
ii dovecot-common 1:1.0.15-2.3+lenny1 secure mail server that
ii dovecot-imapd 1:1.0.15-2.3+lenny1 secure IMAP server that
# cat /usr/local/sbin/dovecot-imap-fix.sh
#!/bin/sh
cat /var/mail/shared/.Office/dovecot-acl > /tmp/dovecot-$USER
env >> /tmp/dovecot-$USER
ACL_GROUPS=`groups $USER | tr ' ' ','`
export ACL_GROUPS
exec /usr/lib/dovecot/imap $*
# ls -la -R /var/mail/shared/ # (cut the .,.. in output)
/var/mail/shared/:
total 28
drwxrwx--- 5 root office 4096 Dec 15 15:53 .Office
drwxr-xr-x 2 root root 4096 Dec 14 16:55 cur
-rw-r--r-- 1 root root 23 Dec 15 07:46 dovecot-acl
-rw-r--r-- 1 root root 0 Dec 15 07:42 dovecot-shared
drwxr-xr-x 2 root root 4096 Dec 14 16:55 new
drwxr-xr-x 2 root root 4096 Dec 14 16:55 tmp
/var/mail/shared/.Office:
total 24
drwxrwx--- 2 root office 4096 Dec 15 09:53 cur
-rw-r--r-- 1 root root 52 Dec 15 15:53 dovecot-acl
-rw-rw---- 1 root office 0 Dec 15 07:42 dovecot-shared
drwxrwx--- 2 root office 4096 Dec 15 09:53 new
drwxrwx--- 2 root office 4096 Dec 15 09:53 tmp
# id peter
uid=1000(peter) gid=100(users)
groups=51683(office),25783(ssh_users),100(users)
#
Now I log in as peter but I my client (latest TB 2) does not display the
office folder. In the log it claimes that it is not able to open the acl
file what really can NOT be true:
Dec 15 15:56:05 mail dovecot: IMAP(peter): acl vfile: no access to file
/var/mail/shared/.Office/dovecot-acl
I tried:
* su peter: Access no problem!
* ps aux: The process is running as peter
* As you can see I have debugging code in my dovecot-imap-fix.sh which
successfully prints out the content of the ACL file to /tmp/user-peter
I can't image that, it seems as if it is not true.
By the way: As soon as I change the mail_executable to
/usr/local/sbin/dovecot-imap-fix.sh I get this message and have
absolutely no clue why:
# /etc/init.d/dovecot restart
Restarting IMAP/POP3 mail server: dovecotid: dump-capability: No such user
.
#
Which dump-capability? Which user?
Does anybody have an idea what could be wrong here?
Thank you very much,
Luke
Charles Marcus
2009-Dec-15 19:50 UTC
[Dovecot] Why dovecot does not want to read my acl file?
On 12/15/2009, Lukas Haase (lukashaase at gmx.at) wrote:> # cat /etc/dovecot/dovecot.confNo, output of dovecot -n please... -- Best regards, Charles
Timo Sirainen
2009-Dec-15 19:53 UTC
[Dovecot] Why dovecot does not want to read my acl file?
On Wed, 2009-12-16 at 00:24 +0900, Lukas Haase wrote:> mail_drop_priv_before_exec = no #just to make sure"no" means it starts the process as root as root. I guess you meant to use "yes".> # cat /usr/local/sbin/dovecot-imap-fix.sh > #!/bin/sh > cat /var/mail/shared/.Office/dovecot-acl > /tmp/dovecot-$USERIt reads the file while running as root.> ACL_GROUPS=`groups $USER | tr ' ' ','` > export ACL_GROUPSI don't think ACL_GROUPS is supported by Dovecot v1.0.> By the way: As soon as I change the mail_executable to > /usr/local/sbin/dovecot-imap-fix.sh I get this message and have > absolutely no clue why: > > # /etc/init.d/dovecot restart > Restarting IMAP/POP3 mail server: dovecotid: dump-capability: No such user > . > # > > Which dump-capability? Which user?It's because at startup Dovecot executes imap mail_executable as "dump-capability" user to find out what IMAP capabilities enabled plugins add. In your script you should probably check that if $USER=dump-capability, don't do anything special. -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 197 bytes Desc: This is a digitally signed message part URL: <http://dovecot.org/pipermail/dovecot/attachments/20091215/e1840334/attachment-0002.bin>
Lukas Haase
2009-Dec-16 02:53 UTC
[Dovecot] Why dovecot does not want to read my acl file?
Hi Timo, Thank zou for your reply! Timo Sirainen schrieb:> On Wed, 2009-12-16 at 00:24 +0900, Lukas Haase wrote: >> mail_drop_priv_before_exec = no #just to make sure > > "no" means it starts the process as root as root. I guess you meant to > use "yes".I know but I tried both in order to see if it is maybe because of this entry. Anyway, the ACL could not be read in either way...> [...] >> ACL_GROUPS=`groups $USER | tr ' ' ','` >> export ACL_GROUPS > > I don't think ACL_GROUPS is supported by Dovecot v1.0.:( :( But nevertheless, let us just forget about the ACL_GROUPS, I would be interested why the ACL file could not be read. Further things I forgot: * In the homedirs the scenario is the same. The one user that has access to the files is the user peter itself and there I got no errors about reading the ACL files * Reading succeeds when I set the directory (.Office) to 755 * For testing I wrote authenticated lrwstiek into the dovecot-acl which means that the problem can not depend on the ACL itself. I just do not understand. The process runs as user peter and complains that it is unable to open the ACL file. But the file is definitively readable for user peter, as I checked with su. Also the error is gone when I set the directory to 755 ... that sounds really strange for me...>> By the way: As soon as I change the mail_executable to >> /usr/local/sbin/dovecot-imap-fix.sh I get this message and have >> absolutely no clue why: >> >> # /etc/init.d/dovecot restart >> Restarting IMAP/POP3 mail server: dovecotid: dump-capability: No such user >> . >> # >> >> Which dump-capability? Which user? > > It's because at startup Dovecot executes imap mail_executable as > "dump-capability" user to find out what IMAP capabilities enabled > plugins add. In your script you should probably check that if > $USER=dump-capability, don't do anything special.Hmm, I do not fully understand. You can see my whole script in the OP ... there is not done anything special, isnt it? Best regards, Luke
Peter Mairhofer
2009-Dec-16 02:55 UTC
[Dovecot] Why dovecot does not want to read my acl file?
Charles Marcus schrieb:> On 12/15/2009, Lukas Haase (lukashaase at gmx.at) wrote: >> # cat /etc/dovecot/dovecot.conf > > No, output of dovecot -n please...Sorry: # 1.0.15: /etc/dovecot/dovecot.conf log_timestamp: %Y-%m-%d %H:%M:%S protocols: imaps managesieve ssl_ca_file: /etc/ssl/services/mail/sub.class1.server.ca.crt ssl_cert_file: /etc/ssl/services/mail/mail.crt ssl_key_file: /etc/ssl/services/mail/mail.key login_dir: /var/run/dovecot/login login_executable(default): /usr/lib/dovecot/imap-login login_executable(imap): /usr/lib/dovecot/imap-login login_executable(managesieve): /usr/lib/dovecot/managesieve-login mail_privileged_group: mail mail_location: maildir:~/Maildir mail_executable(default): /usr/local/sbin/dovecot-imap-fix.sh mail_executable(imap): /usr/local/sbin/dovecot-imap-fix.sh mail_executable(managesieve): /usr/local/sbin/managesieve-nsfix.sh mail_plugins(default): acl mail_plugins(imap): acl mail_plugins(managesieve): mail_plugin_dir(default): /usr/lib/dovecot/modules/imap mail_plugin_dir(imap): /usr/lib/dovecot/modules/imap mail_plugin_dir(managesieve): /usr/lib/dovecot/modules/managesieve sieve_storage(default): sieve_storage(imap): sieve_storage(managesieve): ~/sieve sieve(default): sieve(imap): sieve(managesieve): ~/.dovecot.sieve namespace: type: private separator: . prefix: INBOX. inbox: yes namespace: type: public separator: . prefix: Public. location: maildir:/var/mail/public:CONTROL=~/Maildir/public:INDEX=~/Maildir/public namespace: type: public separator: . prefix: Shared. location: maildir:/var/mail/shared auth default: passdb: driver: passwd-file args: /etc/dovecot/passwd passdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf userdb: driver: prefetch userdb: driver: ldap args: /etc/dovecot/dovecot-ldap.conf plugin: sieve_global_path: /etc/dovecot/default.sieve acl: vfile Regards, Luke